On April 8th 2014 the FBI issued a warning to the healthcare industry.
The two page report informed providers that healthcare data was far more valuable than credit card data or social security numbers, because it could be used for identity theft. To further accentuate the need for security investment, the report continued:
"The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
Fast-forward almost three years, and the FBI’s warning is looking very accurate. Almost 90 percent of all healthcare organizations in the U.S. have suffered a breach in the last two years. Unbelievably, the estimated annual cost of these breaches to the healthcare industry clocks in at $6.2 billion.
How vulnerable is your organization to targeted attacks designed to penetrate your network? Request a complimentary phishing susceptibility assessment to find out.
So what went wrong? Was the FBI’s warning not heeded? Have attackers become exponentially more sophisticated since 2014? And how does the healthcare industry’s level of cyber security measure up now?
To answer these questions, we’ll consider three vital areas of organizational security: culture, infrastructure, and personnel.
Our biggest concern with healthcare security culture is an over-focus on compliance. HIPAA compliance may be a necessity for healthcare organizations, but it doesn’t equal security.
In fact, meeting the needs of HIPAA compliance doesn’t even guarantee a healthcare organization will not be found negligent if a breach does occur. A quick glance at the HHS website shows us that since 2003 only 31 percent of investigations into healthcare breaches found that no violation had occurred.
So not only does a (sole) focus on compliance not secure healthcare organization against cyber attack, it doesn’t even come close to guaranteeing they won’t be fined for non-compliance when a breach does occur.
The focus on compliance is merely a symptom of a larger problem. Quite simply, most healthcare organizations are not taking security as seriously as they need to. David Fin, Health IT Officer at Symantec, puts it like this:
“No doctor leaves his car unlocked at the hospital, but we’re pretty close to doing that with ePHI (electronic protected health information). We would no more send patients to the wrong specialist or give them the wrong diagnosis, yet we leave computers unlocked and use unprotected jump drives.”
Mac McMillan, Chairman of the HIMSS Privacy & Security Policy Task Force, added:
“The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought.”
As things stand, healthcare organization place a disproportionate emphasis on incident response, while undervaluing preemptive investment in security. As a result, healthcare breaches cost organizations up to $398 per record, compared to $215 for financial institutions, and $165 for retailers.
But still, this isn't the root of the problem. The simple truth is that right now, even senior security officers such as CISOs are not routinely interacting with board-level leaders. According to the HIMSS Analytics Healthcare IT Security and Risk Management Study, only 10 percent of healthcare organization have security on the agenda at every board meeting. In 54 percent of cases, security is only on the agenda when specifically requested by the board.
No surprises, then, that healthcare security budgets are smaller than those of any other major industry. On average, healthcare organizations allocate just 6 percent of IT budgets to security, and in over half of organizations that figure falls to less than 3 percent.
Considering security awareness training? Join us for a webinar to discuss the Rise of Spear Phishing & How to Avoid Being the Next Headline
Healthcare Security Infrastructure: A Faulty Foundation?
As we've already alluded to in previous posts, healthcare environments are typically far more complex than other industries. The number of non-technical staff, on-site patients, and complex electronic devices makes securing a healthcare organization a daunting task.
Strange, then, that electronic health records (EHRs) and other digital healthcare systems have, in the vast majority of cases, been implemented without considering the need for security. It’s bad enough that most healthcare device manufacturers include no native security, but this self-inflicted damage has been a source of great frustration for many healthcare CISOs.
And of course, the rate of technological change is phenomenal. According to PWC research, 86 percent of clinicians believe mobile applications will play a central role in patient health management within the next few years. Add in the inevitable and perpetually insecure applications of BYOD and network enabled devices, and you’ll see the need for a whole new layer of security that doesn’t currently exist.
The Personnel Problem
Of course, no factor is more important in ensuring the security of an organization than having the right people. Skilled, experienced security personnel can have a tremendous impact on overall security, even in cases where resources are limited.
But of course, with healthcare security budgets being so low, and the industry placing such little emphasis on the need for security, most healthcare security teams are sparsely populated.
Again according to the HIMSS Analytics survey, 72 percent of healthcare organizations have less than five IT employees allocated to data security, and only 10 percent have more than 20.
The numbers aren’t the only problem. Where organizations in the financial and retail industries have demonstrated an ability to hire and retain top quality talent, the same can't be said for the healthcare industry. While budgets no doubt play a part in this, turnover could also be attributable to the undervaluation of the role of security. Talented CISOs facing an uphill battle in healthcare may be more attracted to industries where their talents would be fully appreciated and utilized.
Until healthcare organizations dramatically change their stance on security, then, it seems unlikely that top quality security professionals will be flocking to the industry.
Sadly, despite warnings from the FBI and valiant efforts of many healthcare security officers, the current state of maturity in healthcare cyber security leaves a lot to be desired.
While infrastructure and personnel certainly pose problems for the industry, there’s no doubt in our minds that a shift in culture is what’s really needed. If top level healthcare executives start to take security seriously, these secondary issues can be resolved with a concerted effort. Until that happens, though, no great improvements are likely to occur.
So how can we bring about the necessary culture change?
As you’d expect, healthcare CISOs and other senior security officers will play the vital role. It falls on these officers to educate board-level executives on the need for enhanced security, and that’s going to take time. The next step is a comprehensive program that protects employees from targeted attacks. The program must include effective security awareness training for all staff that interact with IT systems.
In the remainder of this series on healthcare security, we’ll look at how healthcare breaches happen, and what can be done to prevent them. We’ll also consider the arguments in favor of enhanced healthcare security, and do our best to arm CISOs with the data and discussion points necessary to facilitate serious conversations with senior executives.
For all this and more, keep following the blog in the coming weeks. Subcribe to our blog on the righthand side of this page and receive notifications in your inbox.
From February 19-23, PhishLabs will be at HIMSS 17 booth 6689 in Orlando, Florida. If you’d like to meet with us to discuss our 24/7 protection against attacks targeting your employees, systems, and data, please get in touch.